forcin https protocol instead http protocol on some websites

vetusa2 · September 25, 2012, 4:03pm

i would like to force my network users for their own protection to use to https://www.facebook.com instead of http://www.facebook.com

how???

vetusa2 · September 29, 2012, 7:38am

hello!

c0d3rSh3ll · September 29, 2012, 4:00pm

try this

/ip firewall nat
add action=dst-nat chain=dstnat comment="https facebook" content=facebook.com \
    dst-port=80 protocol=tcp to-addresses=66.220.158.70 to-ports=443

vetusa2 · September 30, 2012, 9:40pm

didn’t work !

Sob · September 30, 2012, 10:35pm

As could be expected. That rule silently redirects port 80 to 443 and browser can’t know that it happened. So it still talks http, instead of required https. You need to intercept http connection and send proper redirect to https back to browser.
It should be possible using web proxy, I’m just not sure about the one in RouterOS. First, when I add redirect to https://www.facebook.com, it sends this to browser:

Location: http://https://www.facebook.com

Seems like a bug to me (I currently have ROS 5.18, it may be different in newer version). And I also don’t see an option to keep the path, so you could redirect http://server/some/path/ to https://server/some/path/ and not only to home page (but maybe I just missed that, I don’t use proxy much).

Toiletbowl · October 1, 2012, 5:45am

i use L7 script and work well

vetusa2 · October 2, 2012, 8:32am

can you provide me with the layer7 script?

vetusa2 · October 3, 2012, 6:37pm

echo!

c0d3rSh3ll · October 4, 2012, 2:12am

what is your solution?

Toiletbowl · October 4, 2012, 3:32am

add action=drop chain=forward comment=force_facebook_drop disabled=no in-interface=your_lan_network layer7-protocol=facebook

/ip firewall layer7-protocol
add comment=“” name=facebook regexp=facebook

jandafields · October 5, 2012, 12:14am

That is BAD idea. That will simply block http facebook (and all other sites that have the word facebook anywhere in it!)… it won’t redirect. Now, you will get people calling you to say that the “Internet is broken.”

vetusa2 · October 5, 2012, 7:37pm

is there any working solutions then?

Sob · October 5, 2012, 9:03pm

It depends.

If you really want it and you’re talking about some small IPv4-only office network or something around that size, then wait for hopefully stable MetaRouter in ROS 5.21, create one with OpenWRT and the simplest proxy server with configurable redirects support you can find, transparently redirect http traffic to it, configure the required http redirect rule and you’re set.

Other cases will range from more challenging to almost impossible.

jandafields · October 6, 2012, 12:38am

For their own protection?!?!? That doesn’t make sense. What protection will this give them? It won’t protect their login information, because all of the logins are already on https.

vetusa2 · October 6, 2012, 2:08pm

lol

let me type in your language then

i want them to be working on https://www.facebook.com and not on http://www.facebook.com !

jandafields · October 6, 2012, 3:34pm

I understand what you want. I don’t understand WHY.

you don’t really get any additional protection from it!

vetusa2 · October 6, 2012, 4:02pm

are you sure?

not even sniffing

jandafields · October 6, 2012, 4:39pm

seriously? Sniffing Facebook posts? LOL!

vetusa2 · October 6, 2012, 4:52pm

how about pictures and comments and even email addresses and most important http passwords?

jandafields · October 6, 2012, 5:03pm

login is ALWAYS https in Facebook. So that point is moot.